Back to overview

CVE-2026-11901

MEDIUM
5.3
CVSS 3.1
Description
The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal validation endpoint from the attacker-controlled `$_REQUEST['test_ipn']` parameter, force-upgrading any `pending` transaction to `completed` when `test_ipn=1`, and omitting post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness after receiving a `VERIFIED` response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a `VERIFIED` response; no site credentials or special configuration are needed.

Metadata

CVE ID
CVE-2026-11901
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-06-10 15:44 UTC
Published
2026-07-11 05:35 UTC
Last updated
2026-07-11 05:35 UTC
Primary CWE
CWE-345
CWE-345 Insufficient Verification of Data Authenticity
Vendor / Product
thimpress / WP Hotel Booking
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
thimpress WP Hotel Booking 0 ≤ 2.3.1
Weakness (CWE)
CWESourceDescription
CWE-345 cna CWE-345 Insufficient Verification of Data Authenticity
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Back to overview